1 /* $OpenBSD: s3_lib.c,v 1.198.4.1 2021/03/15 15:59:04 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdio.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/curve25519.h> 156 #include <openssl/dh.h> 157 #include <openssl/md5.h> 158 #include <openssl/objects.h> 159 160 #include "ssl_locl.h" 161 #include "bytestring.h" 162 163 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) 164 165 /* 166 * FIXED_NONCE_LEN is a macro that provides in the correct value to set the 167 * fixed nonce length in algorithms2. It is the inverse of the 168 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. 169 */ 170 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) 171 172 /* list of available SSLv3 ciphers (sorted by id) */ 173 SSL_CIPHER ssl3_ciphers[] = { 174 175 /* The RSA ciphers */ 176 /* Cipher 01 */ 177 { 178 .valid = 1, 179 .name = SSL3_TXT_RSA_NULL_MD5, 180 .id = SSL3_CK_RSA_NULL_MD5, 181 .algorithm_mkey = SSL_kRSA, 182 .algorithm_auth = SSL_aRSA, 183 .algorithm_enc = SSL_eNULL, 184 .algorithm_mac = SSL_MD5, 185 .algorithm_ssl = SSL_SSLV3, 186 .algo_strength = SSL_STRONG_NONE, 187 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 188 .strength_bits = 0, 189 .alg_bits = 0, 190 }, 191 192 /* Cipher 02 */ 193 { 194 .valid = 1, 195 .name = SSL3_TXT_RSA_NULL_SHA, 196 .id = SSL3_CK_RSA_NULL_SHA, 197 .algorithm_mkey = SSL_kRSA, 198 .algorithm_auth = SSL_aRSA, 199 .algorithm_enc = SSL_eNULL, 200 .algorithm_mac = SSL_SHA1, 201 .algorithm_ssl = SSL_SSLV3, 202 .algo_strength = SSL_STRONG_NONE, 203 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 204 .strength_bits = 0, 205 .alg_bits = 0, 206 }, 207 208 /* Cipher 04 */ 209 { 210 .valid = 1, 211 .name = SSL3_TXT_RSA_RC4_128_MD5, 212 .id = SSL3_CK_RSA_RC4_128_MD5, 213 .algorithm_mkey = SSL_kRSA, 214 .algorithm_auth = SSL_aRSA, 215 .algorithm_enc = SSL_RC4, 216 .algorithm_mac = SSL_MD5, 217 .algorithm_ssl = SSL_SSLV3, 218 .algo_strength = SSL_LOW, 219 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 220 .strength_bits = 128, 221 .alg_bits = 128, 222 }, 223 224 /* Cipher 05 */ 225 { 226 .valid = 1, 227 .name = SSL3_TXT_RSA_RC4_128_SHA, 228 .id = SSL3_CK_RSA_RC4_128_SHA, 229 .algorithm_mkey = SSL_kRSA, 230 .algorithm_auth = SSL_aRSA, 231 .algorithm_enc = SSL_RC4, 232 .algorithm_mac = SSL_SHA1, 233 .algorithm_ssl = SSL_SSLV3, 234 .algo_strength = SSL_LOW, 235 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 236 .strength_bits = 128, 237 .alg_bits = 128, 238 }, 239 240 /* Cipher 0A */ 241 { 242 .valid = 1, 243 .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, 244 .id = SSL3_CK_RSA_DES_192_CBC3_SHA, 245 .algorithm_mkey = SSL_kRSA, 246 .algorithm_auth = SSL_aRSA, 247 .algorithm_enc = SSL_3DES, 248 .algorithm_mac = SSL_SHA1, 249 .algorithm_ssl = SSL_SSLV3, 250 .algo_strength = SSL_MEDIUM, 251 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 252 .strength_bits = 112, 253 .alg_bits = 168, 254 }, 255 256 /* 257 * Ephemeral DH (DHE) ciphers. 258 */ 259 260 /* Cipher 16 */ 261 { 262 .valid = 1, 263 .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 264 .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 265 .algorithm_mkey = SSL_kDHE, 266 .algorithm_auth = SSL_aRSA, 267 .algorithm_enc = SSL_3DES, 268 .algorithm_mac = SSL_SHA1, 269 .algorithm_ssl = SSL_SSLV3, 270 .algo_strength = SSL_MEDIUM, 271 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 272 .strength_bits = 112, 273 .alg_bits = 168, 274 }, 275 276 /* Cipher 18 */ 277 { 278 .valid = 1, 279 .name = SSL3_TXT_ADH_RC4_128_MD5, 280 .id = SSL3_CK_ADH_RC4_128_MD5, 281 .algorithm_mkey = SSL_kDHE, 282 .algorithm_auth = SSL_aNULL, 283 .algorithm_enc = SSL_RC4, 284 .algorithm_mac = SSL_MD5, 285 .algorithm_ssl = SSL_SSLV3, 286 .algo_strength = SSL_LOW, 287 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 288 .strength_bits = 128, 289 .alg_bits = 128, 290 }, 291 292 /* Cipher 1B */ 293 { 294 .valid = 1, 295 .name = SSL3_TXT_ADH_DES_192_CBC_SHA, 296 .id = SSL3_CK_ADH_DES_192_CBC_SHA, 297 .algorithm_mkey = SSL_kDHE, 298 .algorithm_auth = SSL_aNULL, 299 .algorithm_enc = SSL_3DES, 300 .algorithm_mac = SSL_SHA1, 301 .algorithm_ssl = SSL_SSLV3, 302 .algo_strength = SSL_MEDIUM, 303 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 304 .strength_bits = 112, 305 .alg_bits = 168, 306 }, 307 308 /* 309 * AES ciphersuites. 310 */ 311 312 /* Cipher 2F */ 313 { 314 .valid = 1, 315 .name = TLS1_TXT_RSA_WITH_AES_128_SHA, 316 .id = TLS1_CK_RSA_WITH_AES_128_SHA, 317 .algorithm_mkey = SSL_kRSA, 318 .algorithm_auth = SSL_aRSA, 319 .algorithm_enc = SSL_AES128, 320 .algorithm_mac = SSL_SHA1, 321 .algorithm_ssl = SSL_TLSV1, 322 .algo_strength = SSL_HIGH, 323 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 324 .strength_bits = 128, 325 .alg_bits = 128, 326 }, 327 328 /* Cipher 33 */ 329 { 330 .valid = 1, 331 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 332 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 333 .algorithm_mkey = SSL_kDHE, 334 .algorithm_auth = SSL_aRSA, 335 .algorithm_enc = SSL_AES128, 336 .algorithm_mac = SSL_SHA1, 337 .algorithm_ssl = SSL_TLSV1, 338 .algo_strength = SSL_HIGH, 339 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 340 .strength_bits = 128, 341 .alg_bits = 128, 342 }, 343 344 /* Cipher 34 */ 345 { 346 .valid = 1, 347 .name = TLS1_TXT_ADH_WITH_AES_128_SHA, 348 .id = TLS1_CK_ADH_WITH_AES_128_SHA, 349 .algorithm_mkey = SSL_kDHE, 350 .algorithm_auth = SSL_aNULL, 351 .algorithm_enc = SSL_AES128, 352 .algorithm_mac = SSL_SHA1, 353 .algorithm_ssl = SSL_TLSV1, 354 .algo_strength = SSL_HIGH, 355 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 356 .strength_bits = 128, 357 .alg_bits = 128, 358 }, 359 360 /* Cipher 35 */ 361 { 362 .valid = 1, 363 .name = TLS1_TXT_RSA_WITH_AES_256_SHA, 364 .id = TLS1_CK_RSA_WITH_AES_256_SHA, 365 .algorithm_mkey = SSL_kRSA, 366 .algorithm_auth = SSL_aRSA, 367 .algorithm_enc = SSL_AES256, 368 .algorithm_mac = SSL_SHA1, 369 .algorithm_ssl = SSL_TLSV1, 370 .algo_strength = SSL_HIGH, 371 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 372 .strength_bits = 256, 373 .alg_bits = 256, 374 }, 375 376 /* Cipher 39 */ 377 { 378 .valid = 1, 379 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 380 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 381 .algorithm_mkey = SSL_kDHE, 382 .algorithm_auth = SSL_aRSA, 383 .algorithm_enc = SSL_AES256, 384 .algorithm_mac = SSL_SHA1, 385 .algorithm_ssl = SSL_TLSV1, 386 .algo_strength = SSL_HIGH, 387 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 388 .strength_bits = 256, 389 .alg_bits = 256, 390 }, 391 392 /* Cipher 3A */ 393 { 394 .valid = 1, 395 .name = TLS1_TXT_ADH_WITH_AES_256_SHA, 396 .id = TLS1_CK_ADH_WITH_AES_256_SHA, 397 .algorithm_mkey = SSL_kDHE, 398 .algorithm_auth = SSL_aNULL, 399 .algorithm_enc = SSL_AES256, 400 .algorithm_mac = SSL_SHA1, 401 .algorithm_ssl = SSL_TLSV1, 402 .algo_strength = SSL_HIGH, 403 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 404 .strength_bits = 256, 405 .alg_bits = 256, 406 }, 407 408 /* TLS v1.2 ciphersuites */ 409 /* Cipher 3B */ 410 { 411 .valid = 1, 412 .name = TLS1_TXT_RSA_WITH_NULL_SHA256, 413 .id = TLS1_CK_RSA_WITH_NULL_SHA256, 414 .algorithm_mkey = SSL_kRSA, 415 .algorithm_auth = SSL_aRSA, 416 .algorithm_enc = SSL_eNULL, 417 .algorithm_mac = SSL_SHA256, 418 .algorithm_ssl = SSL_TLSV1_2, 419 .algo_strength = SSL_STRONG_NONE, 420 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 421 .strength_bits = 0, 422 .alg_bits = 0, 423 }, 424 425 /* Cipher 3C */ 426 { 427 .valid = 1, 428 .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, 429 .id = TLS1_CK_RSA_WITH_AES_128_SHA256, 430 .algorithm_mkey = SSL_kRSA, 431 .algorithm_auth = SSL_aRSA, 432 .algorithm_enc = SSL_AES128, 433 .algorithm_mac = SSL_SHA256, 434 .algorithm_ssl = SSL_TLSV1_2, 435 .algo_strength = SSL_HIGH, 436 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 437 .strength_bits = 128, 438 .alg_bits = 128, 439 }, 440 441 /* Cipher 3D */ 442 { 443 .valid = 1, 444 .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, 445 .id = TLS1_CK_RSA_WITH_AES_256_SHA256, 446 .algorithm_mkey = SSL_kRSA, 447 .algorithm_auth = SSL_aRSA, 448 .algorithm_enc = SSL_AES256, 449 .algorithm_mac = SSL_SHA256, 450 .algorithm_ssl = SSL_TLSV1_2, 451 .algo_strength = SSL_HIGH, 452 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 453 .strength_bits = 256, 454 .alg_bits = 256, 455 }, 456 457 #ifndef OPENSSL_NO_CAMELLIA 458 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 459 460 /* Cipher 41 */ 461 { 462 .valid = 1, 463 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 464 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 465 .algorithm_mkey = SSL_kRSA, 466 .algorithm_auth = SSL_aRSA, 467 .algorithm_enc = SSL_CAMELLIA128, 468 .algorithm_mac = SSL_SHA1, 469 .algorithm_ssl = SSL_TLSV1, 470 .algo_strength = SSL_HIGH, 471 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 472 .strength_bits = 128, 473 .alg_bits = 128, 474 }, 475 476 /* Cipher 45 */ 477 { 478 .valid = 1, 479 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 480 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 481 .algorithm_mkey = SSL_kDHE, 482 .algorithm_auth = SSL_aRSA, 483 .algorithm_enc = SSL_CAMELLIA128, 484 .algorithm_mac = SSL_SHA1, 485 .algorithm_ssl = SSL_TLSV1, 486 .algo_strength = SSL_HIGH, 487 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 488 .strength_bits = 128, 489 .alg_bits = 128, 490 }, 491 492 /* Cipher 46 */ 493 { 494 .valid = 1, 495 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 496 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 497 .algorithm_mkey = SSL_kDHE, 498 .algorithm_auth = SSL_aNULL, 499 .algorithm_enc = SSL_CAMELLIA128, 500 .algorithm_mac = SSL_SHA1, 501 .algorithm_ssl = SSL_TLSV1, 502 .algo_strength = SSL_HIGH, 503 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 504 .strength_bits = 128, 505 .alg_bits = 128, 506 }, 507 #endif /* OPENSSL_NO_CAMELLIA */ 508 509 /* TLS v1.2 ciphersuites */ 510 /* Cipher 67 */ 511 { 512 .valid = 1, 513 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 514 .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 515 .algorithm_mkey = SSL_kDHE, 516 .algorithm_auth = SSL_aRSA, 517 .algorithm_enc = SSL_AES128, 518 .algorithm_mac = SSL_SHA256, 519 .algorithm_ssl = SSL_TLSV1_2, 520 .algo_strength = SSL_HIGH, 521 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 522 .strength_bits = 128, 523 .alg_bits = 128, 524 }, 525 526 /* Cipher 6B */ 527 { 528 .valid = 1, 529 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 530 .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 531 .algorithm_mkey = SSL_kDHE, 532 .algorithm_auth = SSL_aRSA, 533 .algorithm_enc = SSL_AES256, 534 .algorithm_mac = SSL_SHA256, 535 .algorithm_ssl = SSL_TLSV1_2, 536 .algo_strength = SSL_HIGH, 537 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 538 .strength_bits = 256, 539 .alg_bits = 256, 540 }, 541 542 /* Cipher 6C */ 543 { 544 .valid = 1, 545 .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, 546 .id = TLS1_CK_ADH_WITH_AES_128_SHA256, 547 .algorithm_mkey = SSL_kDHE, 548 .algorithm_auth = SSL_aNULL, 549 .algorithm_enc = SSL_AES128, 550 .algorithm_mac = SSL_SHA256, 551 .algorithm_ssl = SSL_TLSV1_2, 552 .algo_strength = SSL_HIGH, 553 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 554 .strength_bits = 128, 555 .alg_bits = 128, 556 }, 557 558 /* Cipher 6D */ 559 { 560 .valid = 1, 561 .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, 562 .id = TLS1_CK_ADH_WITH_AES_256_SHA256, 563 .algorithm_mkey = SSL_kDHE, 564 .algorithm_auth = SSL_aNULL, 565 .algorithm_enc = SSL_AES256, 566 .algorithm_mac = SSL_SHA256, 567 .algorithm_ssl = SSL_TLSV1_2, 568 .algo_strength = SSL_HIGH, 569 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 570 .strength_bits = 256, 571 .alg_bits = 256, 572 }, 573 574 /* GOST Ciphersuites */ 575 576 /* Cipher 81 */ 577 { 578 .valid = 1, 579 .name = "GOST2001-GOST89-GOST89", 580 .id = 0x3000081, 581 .algorithm_mkey = SSL_kGOST, 582 .algorithm_auth = SSL_aGOST01, 583 .algorithm_enc = SSL_eGOST2814789CNT, 584 .algorithm_mac = SSL_GOST89MAC, 585 .algorithm_ssl = SSL_TLSV1, 586 .algo_strength = SSL_HIGH, 587 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| 588 TLS1_STREAM_MAC, 589 .strength_bits = 256, 590 .alg_bits = 256 591 }, 592 593 /* Cipher 83 */ 594 { 595 .valid = 1, 596 .name = "GOST2001-NULL-GOST94", 597 .id = 0x3000083, 598 .algorithm_mkey = SSL_kGOST, 599 .algorithm_auth = SSL_aGOST01, 600 .algorithm_enc = SSL_eNULL, 601 .algorithm_mac = SSL_GOST94, 602 .algorithm_ssl = SSL_TLSV1, 603 .algo_strength = SSL_STRONG_NONE, 604 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, 605 .strength_bits = 0, 606 .alg_bits = 0 607 }, 608 609 #ifndef OPENSSL_NO_CAMELLIA 610 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 611 612 /* Cipher 84 */ 613 { 614 .valid = 1, 615 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 616 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 617 .algorithm_mkey = SSL_kRSA, 618 .algorithm_auth = SSL_aRSA, 619 .algorithm_enc = SSL_CAMELLIA256, 620 .algorithm_mac = SSL_SHA1, 621 .algorithm_ssl = SSL_TLSV1, 622 .algo_strength = SSL_HIGH, 623 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 624 .strength_bits = 256, 625 .alg_bits = 256, 626 }, 627 628 /* Cipher 88 */ 629 { 630 .valid = 1, 631 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 632 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 633 .algorithm_mkey = SSL_kDHE, 634 .algorithm_auth = SSL_aRSA, 635 .algorithm_enc = SSL_CAMELLIA256, 636 .algorithm_mac = SSL_SHA1, 637 .algorithm_ssl = SSL_TLSV1, 638 .algo_strength = SSL_HIGH, 639 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 640 .strength_bits = 256, 641 .alg_bits = 256, 642 }, 643 644 /* Cipher 89 */ 645 { 646 .valid = 1, 647 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 648 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 649 .algorithm_mkey = SSL_kDHE, 650 .algorithm_auth = SSL_aNULL, 651 .algorithm_enc = SSL_CAMELLIA256, 652 .algorithm_mac = SSL_SHA1, 653 .algorithm_ssl = SSL_TLSV1, 654 .algo_strength = SSL_HIGH, 655 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 656 .strength_bits = 256, 657 .alg_bits = 256, 658 }, 659 #endif /* OPENSSL_NO_CAMELLIA */ 660 661 /* 662 * GCM ciphersuites from RFC5288. 663 */ 664 665 /* Cipher 9C */ 666 { 667 .valid = 1, 668 .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 669 .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 670 .algorithm_mkey = SSL_kRSA, 671 .algorithm_auth = SSL_aRSA, 672 .algorithm_enc = SSL_AES128GCM, 673 .algorithm_mac = SSL_AEAD, 674 .algorithm_ssl = SSL_TLSV1_2, 675 .algo_strength = SSL_HIGH, 676 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 677 FIXED_NONCE_LEN(4)| 678 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 679 .strength_bits = 128, 680 .alg_bits = 128, 681 }, 682 683 /* Cipher 9D */ 684 { 685 .valid = 1, 686 .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 687 .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 688 .algorithm_mkey = SSL_kRSA, 689 .algorithm_auth = SSL_aRSA, 690 .algorithm_enc = SSL_AES256GCM, 691 .algorithm_mac = SSL_AEAD, 692 .algorithm_ssl = SSL_TLSV1_2, 693 .algo_strength = SSL_HIGH, 694 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 695 FIXED_NONCE_LEN(4)| 696 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 697 .strength_bits = 256, 698 .alg_bits = 256, 699 }, 700 701 /* Cipher 9E */ 702 { 703 .valid = 1, 704 .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 705 .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 706 .algorithm_mkey = SSL_kDHE, 707 .algorithm_auth = SSL_aRSA, 708 .algorithm_enc = SSL_AES128GCM, 709 .algorithm_mac = SSL_AEAD, 710 .algorithm_ssl = SSL_TLSV1_2, 711 .algo_strength = SSL_HIGH, 712 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 713 FIXED_NONCE_LEN(4)| 714 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 715 .strength_bits = 128, 716 .alg_bits = 128, 717 }, 718 719 /* Cipher 9F */ 720 { 721 .valid = 1, 722 .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 723 .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 724 .algorithm_mkey = SSL_kDHE, 725 .algorithm_auth = SSL_aRSA, 726 .algorithm_enc = SSL_AES256GCM, 727 .algorithm_mac = SSL_AEAD, 728 .algorithm_ssl = SSL_TLSV1_2, 729 .algo_strength = SSL_HIGH, 730 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 731 FIXED_NONCE_LEN(4)| 732 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 733 .strength_bits = 256, 734 .alg_bits = 256, 735 }, 736 737 /* Cipher A6 */ 738 { 739 .valid = 1, 740 .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, 741 .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, 742 .algorithm_mkey = SSL_kDHE, 743 .algorithm_auth = SSL_aNULL, 744 .algorithm_enc = SSL_AES128GCM, 745 .algorithm_mac = SSL_AEAD, 746 .algorithm_ssl = SSL_TLSV1_2, 747 .algo_strength = SSL_HIGH, 748 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 749 FIXED_NONCE_LEN(4)| 750 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 751 .strength_bits = 128, 752 .alg_bits = 128, 753 }, 754 755 /* Cipher A7 */ 756 { 757 .valid = 1, 758 .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, 759 .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, 760 .algorithm_mkey = SSL_kDHE, 761 .algorithm_auth = SSL_aNULL, 762 .algorithm_enc = SSL_AES256GCM, 763 .algorithm_mac = SSL_AEAD, 764 .algorithm_ssl = SSL_TLSV1_2, 765 .algo_strength = SSL_HIGH, 766 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 767 FIXED_NONCE_LEN(4)| 768 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 769 .strength_bits = 256, 770 .alg_bits = 256, 771 }, 772 773 #ifndef OPENSSL_NO_CAMELLIA 774 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ 775 776 /* Cipher BA */ 777 { 778 .valid = 1, 779 .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, 780 .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, 781 .algorithm_mkey = SSL_kRSA, 782 .algorithm_auth = SSL_aRSA, 783 .algorithm_enc = SSL_CAMELLIA128, 784 .algorithm_mac = SSL_SHA256, 785 .algorithm_ssl = SSL_TLSV1_2, 786 .algo_strength = SSL_HIGH, 787 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 788 .strength_bits = 128, 789 .alg_bits = 128, 790 }, 791 792 /* Cipher BE */ 793 { 794 .valid = 1, 795 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 796 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 797 .algorithm_mkey = SSL_kDHE, 798 .algorithm_auth = SSL_aRSA, 799 .algorithm_enc = SSL_CAMELLIA128, 800 .algorithm_mac = SSL_SHA256, 801 .algorithm_ssl = SSL_TLSV1_2, 802 .algo_strength = SSL_HIGH, 803 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 804 .strength_bits = 128, 805 .alg_bits = 128, 806 }, 807 808 /* Cipher BF */ 809 { 810 .valid = 1, 811 .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, 812 .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, 813 .algorithm_mkey = SSL_kDHE, 814 .algorithm_auth = SSL_aNULL, 815 .algorithm_enc = SSL_CAMELLIA128, 816 .algorithm_mac = SSL_SHA256, 817 .algorithm_ssl = SSL_TLSV1_2, 818 .algo_strength = SSL_HIGH, 819 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 820 .strength_bits = 128, 821 .alg_bits = 128, 822 }, 823 824 /* Cipher C0 */ 825 { 826 .valid = 1, 827 .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, 828 .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, 829 .algorithm_mkey = SSL_kRSA, 830 .algorithm_auth = SSL_aRSA, 831 .algorithm_enc = SSL_CAMELLIA256, 832 .algorithm_mac = SSL_SHA256, 833 .algorithm_ssl = SSL_TLSV1_2, 834 .algo_strength = SSL_HIGH, 835 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 836 .strength_bits = 256, 837 .alg_bits = 256, 838 }, 839 840 /* Cipher C4 */ 841 { 842 .valid = 1, 843 .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 844 .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, 845 .algorithm_mkey = SSL_kDHE, 846 .algorithm_auth = SSL_aRSA, 847 .algorithm_enc = SSL_CAMELLIA256, 848 .algorithm_mac = SSL_SHA256, 849 .algorithm_ssl = SSL_TLSV1_2, 850 .algo_strength = SSL_HIGH, 851 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 852 .strength_bits = 256, 853 .alg_bits = 256, 854 }, 855 856 /* Cipher C5 */ 857 { 858 .valid = 1, 859 .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, 860 .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, 861 .algorithm_mkey = SSL_kDHE, 862 .algorithm_auth = SSL_aNULL, 863 .algorithm_enc = SSL_CAMELLIA256, 864 .algorithm_mac = SSL_SHA256, 865 .algorithm_ssl = SSL_TLSV1_2, 866 .algo_strength = SSL_HIGH, 867 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 868 .strength_bits = 256, 869 .alg_bits = 256, 870 }, 871 #endif /* OPENSSL_NO_CAMELLIA */ 872 873 /* 874 * TLSv1.3 cipher suites. 875 */ 876 877 #ifdef LIBRESSL_HAS_TLS1_3 878 /* Cipher 1301 */ 879 { 880 .valid = 1, 881 .name = TLS1_3_TXT_AES_128_GCM_SHA256, 882 .id = TLS1_3_CK_AES_128_GCM_SHA256, 883 .algorithm_mkey = SSL_kTLS1_3, 884 .algorithm_auth = SSL_aTLS1_3, 885 .algorithm_enc = SSL_AES128GCM, 886 .algorithm_mac = SSL_AEAD, 887 .algorithm_ssl = SSL_TLSV1_3, 888 .algo_strength = SSL_HIGH, 889 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 890 .strength_bits = 128, 891 .alg_bits = 128, 892 }, 893 894 /* Cipher 1302 */ 895 { 896 .valid = 1, 897 .name = TLS1_3_TXT_AES_256_GCM_SHA384, 898 .id = TLS1_3_CK_AES_256_GCM_SHA384, 899 .algorithm_mkey = SSL_kTLS1_3, 900 .algorithm_auth = SSL_aTLS1_3, 901 .algorithm_enc = SSL_AES256GCM, 902 .algorithm_mac = SSL_AEAD, 903 .algorithm_ssl = SSL_TLSV1_3, 904 .algo_strength = SSL_HIGH, 905 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ 906 .strength_bits = 256, 907 .alg_bits = 256, 908 }, 909 910 /* Cipher 1303 */ 911 { 912 .valid = 1, 913 .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, 914 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 915 .algorithm_mkey = SSL_kTLS1_3, 916 .algorithm_auth = SSL_aTLS1_3, 917 .algorithm_enc = SSL_CHACHA20POLY1305, 918 .algorithm_mac = SSL_AEAD, 919 .algorithm_ssl = SSL_TLSV1_3, 920 .algo_strength = SSL_HIGH, 921 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ 922 .strength_bits = 256, 923 .alg_bits = 256, 924 }, 925 #endif 926 927 /* Cipher C006 */ 928 { 929 .valid = 1, 930 .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 931 .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 932 .algorithm_mkey = SSL_kECDHE, 933 .algorithm_auth = SSL_aECDSA, 934 .algorithm_enc = SSL_eNULL, 935 .algorithm_mac = SSL_SHA1, 936 .algorithm_ssl = SSL_TLSV1, 937 .algo_strength = SSL_STRONG_NONE, 938 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 939 .strength_bits = 0, 940 .alg_bits = 0, 941 }, 942 943 /* Cipher C007 */ 944 { 945 .valid = 1, 946 .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 947 .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 948 .algorithm_mkey = SSL_kECDHE, 949 .algorithm_auth = SSL_aECDSA, 950 .algorithm_enc = SSL_RC4, 951 .algorithm_mac = SSL_SHA1, 952 .algorithm_ssl = SSL_TLSV1, 953 .algo_strength = SSL_LOW, 954 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 955 .strength_bits = 128, 956 .alg_bits = 128, 957 }, 958 959 /* Cipher C008 */ 960 { 961 .valid = 1, 962 .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 963 .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 964 .algorithm_mkey = SSL_kECDHE, 965 .algorithm_auth = SSL_aECDSA, 966 .algorithm_enc = SSL_3DES, 967 .algorithm_mac = SSL_SHA1, 968 .algorithm_ssl = SSL_TLSV1, 969 .algo_strength = SSL_MEDIUM, 970 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 971 .strength_bits = 112, 972 .alg_bits = 168, 973 }, 974 975 /* Cipher C009 */ 976 { 977 .valid = 1, 978 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 979 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 980 .algorithm_mkey = SSL_kECDHE, 981 .algorithm_auth = SSL_aECDSA, 982 .algorithm_enc = SSL_AES128, 983 .algorithm_mac = SSL_SHA1, 984 .algorithm_ssl = SSL_TLSV1, 985 .algo_strength = SSL_HIGH, 986 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 987 .strength_bits = 128, 988 .alg_bits = 128, 989 }, 990 991 /* Cipher C00A */ 992 { 993 .valid = 1, 994 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 995 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 996 .algorithm_mkey = SSL_kECDHE, 997 .algorithm_auth = SSL_aECDSA, 998 .algorithm_enc = SSL_AES256, 999 .algorithm_mac = SSL_SHA1, 1000 .algorithm_ssl = SSL_TLSV1, 1001 .algo_strength = SSL_HIGH, 1002 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1003 .strength_bits = 256, 1004 .alg_bits = 256, 1005 }, 1006 1007 /* Cipher C010 */ 1008 { 1009 .valid = 1, 1010 .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1011 .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1012 .algorithm_mkey = SSL_kECDHE, 1013 .algorithm_auth = SSL_aRSA, 1014 .algorithm_enc = SSL_eNULL, 1015 .algorithm_mac = SSL_SHA1, 1016 .algorithm_ssl = SSL_TLSV1, 1017 .algo_strength = SSL_STRONG_NONE, 1018 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1019 .strength_bits = 0, 1020 .alg_bits = 0, 1021 }, 1022 1023 /* Cipher C011 */ 1024 { 1025 .valid = 1, 1026 .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1027 .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1028 .algorithm_mkey = SSL_kECDHE, 1029 .algorithm_auth = SSL_aRSA, 1030 .algorithm_enc = SSL_RC4, 1031 .algorithm_mac = SSL_SHA1, 1032 .algorithm_ssl = SSL_TLSV1, 1033 .algo_strength = SSL_LOW, 1034 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1035 .strength_bits = 128, 1036 .alg_bits = 128, 1037 }, 1038 1039 /* Cipher C012 */ 1040 { 1041 .valid = 1, 1042 .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1043 .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1044 .algorithm_mkey = SSL_kECDHE, 1045 .algorithm_auth = SSL_aRSA, 1046 .algorithm_enc = SSL_3DES, 1047 .algorithm_mac = SSL_SHA1, 1048 .algorithm_ssl = SSL_TLSV1, 1049 .algo_strength = SSL_MEDIUM, 1050 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1051 .strength_bits = 112, 1052 .alg_bits = 168, 1053 }, 1054 1055 /* Cipher C013 */ 1056 { 1057 .valid = 1, 1058 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1059 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1060 .algorithm_mkey = SSL_kECDHE, 1061 .algorithm_auth = SSL_aRSA, 1062 .algorithm_enc = SSL_AES128, 1063 .algorithm_mac = SSL_SHA1, 1064 .algorithm_ssl = SSL_TLSV1, 1065 .algo_strength = SSL_HIGH, 1066 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1067 .strength_bits = 128, 1068 .alg_bits = 128, 1069 }, 1070 1071 /* Cipher C014 */ 1072 { 1073 .valid = 1, 1074 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1075 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1076 .algorithm_mkey = SSL_kECDHE, 1077 .algorithm_auth = SSL_aRSA, 1078 .algorithm_enc = SSL_AES256, 1079 .algorithm_mac = SSL_SHA1, 1080 .algorithm_ssl = SSL_TLSV1, 1081 .algo_strength = SSL_HIGH, 1082 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1083 .strength_bits = 256, 1084 .alg_bits = 256, 1085 }, 1086 1087 /* Cipher C015 */ 1088 { 1089 .valid = 1, 1090 .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1091 .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1092 .algorithm_mkey = SSL_kECDHE, 1093 .algorithm_auth = SSL_aNULL, 1094 .algorithm_enc = SSL_eNULL, 1095 .algorithm_mac = SSL_SHA1, 1096 .algorithm_ssl = SSL_TLSV1, 1097 .algo_strength = SSL_STRONG_NONE, 1098 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1099 .strength_bits = 0, 1100 .alg_bits = 0, 1101 }, 1102 1103 /* Cipher C016 */ 1104 { 1105 .valid = 1, 1106 .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1107 .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1108 .algorithm_mkey = SSL_kECDHE, 1109 .algorithm_auth = SSL_aNULL, 1110 .algorithm_enc = SSL_RC4, 1111 .algorithm_mac = SSL_SHA1, 1112 .algorithm_ssl = SSL_TLSV1, 1113 .algo_strength = SSL_LOW, 1114 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1115 .strength_bits = 128, 1116 .alg_bits = 128, 1117 }, 1118 1119 /* Cipher C017 */ 1120 { 1121 .valid = 1, 1122 .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1123 .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1124 .algorithm_mkey = SSL_kECDHE, 1125 .algorithm_auth = SSL_aNULL, 1126 .algorithm_enc = SSL_3DES, 1127 .algorithm_mac = SSL_SHA1, 1128 .algorithm_ssl = SSL_TLSV1, 1129 .algo_strength = SSL_MEDIUM, 1130 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1131 .strength_bits = 112, 1132 .alg_bits = 168, 1133 }, 1134 1135 /* Cipher C018 */ 1136 { 1137 .valid = 1, 1138 .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1139 .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1140 .algorithm_mkey = SSL_kECDHE, 1141 .algorithm_auth = SSL_aNULL, 1142 .algorithm_enc = SSL_AES128, 1143 .algorithm_mac = SSL_SHA1, 1144 .algorithm_ssl = SSL_TLSV1, 1145 .algo_strength = SSL_HIGH, 1146 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1147 .strength_bits = 128, 1148 .alg_bits = 128, 1149 }, 1150 1151 /* Cipher C019 */ 1152 { 1153 .valid = 1, 1154 .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1155 .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1156 .algorithm_mkey = SSL_kECDHE, 1157 .algorithm_auth = SSL_aNULL, 1158 .algorithm_enc = SSL_AES256, 1159 .algorithm_mac = SSL_SHA1, 1160 .algorithm_ssl = SSL_TLSV1, 1161 .algo_strength = SSL_HIGH, 1162 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1163 .strength_bits = 256, 1164 .alg_bits = 256, 1165 }, 1166 1167 1168 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1169 1170 /* Cipher C023 */ 1171 { 1172 .valid = 1, 1173 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 1174 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 1175 .algorithm_mkey = SSL_kECDHE, 1176 .algorithm_auth = SSL_aECDSA, 1177 .algorithm_enc = SSL_AES128, 1178 .algorithm_mac = SSL_SHA256, 1179 .algorithm_ssl = SSL_TLSV1_2, 1180 .algo_strength = SSL_HIGH, 1181 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1182 .strength_bits = 128, 1183 .alg_bits = 128, 1184 }, 1185 1186 /* Cipher C024 */ 1187 { 1188 .valid = 1, 1189 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 1190 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 1191 .algorithm_mkey = SSL_kECDHE, 1192 .algorithm_auth = SSL_aECDSA, 1193 .algorithm_enc = SSL_AES256, 1194 .algorithm_mac = SSL_SHA384, 1195 .algorithm_ssl = SSL_TLSV1_2, 1196 .algo_strength = SSL_HIGH, 1197 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1198 .strength_bits = 256, 1199 .alg_bits = 256, 1200 }, 1201 1202 /* Cipher C027 */ 1203 { 1204 .valid = 1, 1205 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 1206 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 1207 .algorithm_mkey = SSL_kECDHE, 1208 .algorithm_auth = SSL_aRSA, 1209 .algorithm_enc = SSL_AES128, 1210 .algorithm_mac = SSL_SHA256, 1211 .algorithm_ssl = SSL_TLSV1_2, 1212 .algo_strength = SSL_HIGH, 1213 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, 1214 .strength_bits = 128, 1215 .alg_bits = 128, 1216 }, 1217 1218 /* Cipher C028 */ 1219 { 1220 .valid = 1, 1221 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 1222 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 1223 .algorithm_mkey = SSL_kECDHE, 1224 .algorithm_auth = SSL_aRSA, 1225 .algorithm_enc = SSL_AES256, 1226 .algorithm_mac = SSL_SHA384, 1227 .algorithm_ssl = SSL_TLSV1_2, 1228 .algo_strength = SSL_HIGH, 1229 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, 1230 .strength_bits = 256, 1231 .alg_bits = 256, 1232 }, 1233 1234 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 1235 1236 /* Cipher C02B */ 1237 { 1238 .valid = 1, 1239 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1240 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1241 .algorithm_mkey = SSL_kECDHE, 1242 .algorithm_auth = SSL_aECDSA, 1243 .algorithm_enc = SSL_AES128GCM, 1244 .algorithm_mac = SSL_AEAD, 1245 .algorithm_ssl = SSL_TLSV1_2, 1246 .algo_strength = SSL_HIGH, 1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1248 FIXED_NONCE_LEN(4)| 1249 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1250 .strength_bits = 128, 1251 .alg_bits = 128, 1252 }, 1253 1254 /* Cipher C02C */ 1255 { 1256 .valid = 1, 1257 .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1258 .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1259 .algorithm_mkey = SSL_kECDHE, 1260 .algorithm_auth = SSL_aECDSA, 1261 .algorithm_enc = SSL_AES256GCM, 1262 .algorithm_mac = SSL_AEAD, 1263 .algorithm_ssl = SSL_TLSV1_2, 1264 .algo_strength = SSL_HIGH, 1265 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1266 FIXED_NONCE_LEN(4)| 1267 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1268 .strength_bits = 256, 1269 .alg_bits = 256, 1270 }, 1271 1272 /* Cipher C02F */ 1273 { 1274 .valid = 1, 1275 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1276 .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1277 .algorithm_mkey = SSL_kECDHE, 1278 .algorithm_auth = SSL_aRSA, 1279 .algorithm_enc = SSL_AES128GCM, 1280 .algorithm_mac = SSL_AEAD, 1281 .algorithm_ssl = SSL_TLSV1_2, 1282 .algo_strength = SSL_HIGH, 1283 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1284 FIXED_NONCE_LEN(4)| 1285 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1286 .strength_bits = 128, 1287 .alg_bits = 128, 1288 }, 1289 1290 /* Cipher C030 */ 1291 { 1292 .valid = 1, 1293 .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1294 .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1295 .algorithm_mkey = SSL_kECDHE, 1296 .algorithm_auth = SSL_aRSA, 1297 .algorithm_enc = SSL_AES256GCM, 1298 .algorithm_mac = SSL_AEAD, 1299 .algorithm_ssl = SSL_TLSV1_2, 1300 .algo_strength = SSL_HIGH, 1301 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1302 FIXED_NONCE_LEN(4)| 1303 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1304 .strength_bits = 256, 1305 .alg_bits = 256, 1306 }, 1307 1308 /* Cipher CCA8 */ 1309 { 1310 .valid = 1, 1311 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1312 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1313 .algorithm_mkey = SSL_kECDHE, 1314 .algorithm_auth = SSL_aRSA, 1315 .algorithm_enc = SSL_CHACHA20POLY1305, 1316 .algorithm_mac = SSL_AEAD, 1317 .algorithm_ssl = SSL_TLSV1_2, 1318 .algo_strength = SSL_HIGH, 1319 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1320 FIXED_NONCE_LEN(12), 1321 .strength_bits = 256, 1322 .alg_bits = 256, 1323 }, 1324 1325 /* Cipher CCA9 */ 1326 { 1327 .valid = 1, 1328 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1329 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1330 .algorithm_mkey = SSL_kECDHE, 1331 .algorithm_auth = SSL_aECDSA, 1332 .algorithm_enc = SSL_CHACHA20POLY1305, 1333 .algorithm_mac = SSL_AEAD, 1334 .algorithm_ssl = SSL_TLSV1_2, 1335 .algo_strength = SSL_HIGH, 1336 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1337 FIXED_NONCE_LEN(12), 1338 .strength_bits = 256, 1339 .alg_bits = 256, 1340 }, 1341 1342 /* Cipher CCAA */ 1343 { 1344 .valid = 1, 1345 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1346 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, 1347 .algorithm_mkey = SSL_kDHE, 1348 .algorithm_auth = SSL_aRSA, 1349 .algorithm_enc = SSL_CHACHA20POLY1305, 1350 .algorithm_mac = SSL_AEAD, 1351 .algorithm_ssl = SSL_TLSV1_2, 1352 .algo_strength = SSL_HIGH, 1353 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1354 FIXED_NONCE_LEN(12), 1355 .strength_bits = 256, 1356 .alg_bits = 256, 1357 }, 1358 1359 /* Cipher FF85 FIXME IANA */ 1360 { 1361 .valid = 1, 1362 .name = "GOST2012256-GOST89-GOST89", 1363 .id = 0x300ff85, /* FIXME IANA */ 1364 .algorithm_mkey = SSL_kGOST, 1365 .algorithm_auth = SSL_aGOST01, 1366 .algorithm_enc = SSL_eGOST2814789CNT, 1367 .algorithm_mac = SSL_GOST89MAC, 1368 .algorithm_ssl = SSL_TLSV1, 1369 .algo_strength = SSL_HIGH, 1370 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| 1371 TLS1_STREAM_MAC, 1372 .strength_bits = 256, 1373 .alg_bits = 256 1374 }, 1375 1376 /* Cipher FF87 FIXME IANA */ 1377 { 1378 .valid = 1, 1379 .name = "GOST2012256-NULL-STREEBOG256", 1380 .id = 0x300ff87, /* FIXME IANA */ 1381 .algorithm_mkey = SSL_kGOST, 1382 .algorithm_auth = SSL_aGOST01, 1383 .algorithm_enc = SSL_eNULL, 1384 .algorithm_mac = SSL_STREEBOG256, 1385 .algorithm_ssl = SSL_TLSV1, 1386 .algo_strength = SSL_STRONG_NONE, 1387 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, 1388 .strength_bits = 0, 1389 .alg_bits = 0 1390 }, 1391 1392 1393 /* end of list */ 1394 }; 1395 1396 int 1397 ssl3_num_ciphers(void) 1398 { 1399 return (SSL3_NUM_CIPHERS); 1400 } 1401 1402 const SSL_CIPHER * 1403 ssl3_get_cipher(unsigned int u) 1404 { 1405 if (u < SSL3_NUM_CIPHERS) 1406 return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); 1407 else 1408 return (NULL); 1409 } 1410 1411 const SSL_CIPHER * 1412 ssl3_get_cipher_by_id(unsigned int id) 1413 { 1414 const SSL_CIPHER *cp; 1415 SSL_CIPHER c; 1416 1417 c.id = id; 1418 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 1419 if (cp != NULL && cp->valid == 1) 1420 return (cp); 1421 1422 return (NULL); 1423 } 1424 1425 const SSL_CIPHER * 1426 ssl3_get_cipher_by_value(uint16_t value) 1427 { 1428 return ssl3_get_cipher_by_id(SSL3_CK_ID | value); 1429 } 1430 1431 uint16_t 1432 ssl3_cipher_get_value(const SSL_CIPHER *c) 1433 { 1434 return (c->id & SSL3_CK_VALUE_MASK); 1435 } 1436 1437 int 1438 ssl3_pending(const SSL *s) 1439 { 1440 if (s->internal->rstate == SSL_ST_READ_BODY) 1441 return 0; 1442 1443 return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ? 1444 S3I(s)->rrec.length : 0; 1445 } 1446 1447 int 1448 ssl3_handshake_msg_hdr_len(SSL *s) 1449 { 1450 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : 1451 SSL3_HM_HEADER_LENGTH); 1452 } 1453 1454 int 1455 ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) 1456 { 1457 int ret = 0; 1458 1459 if (!CBB_init(handshake, SSL3_RT_MAX_PLAIN_LENGTH)) 1460 goto err; 1461 if (!CBB_add_u8(handshake, msg_type)) 1462 goto err; 1463 if (SSL_IS_DTLS(s)) { 1464 unsigned char *data; 1465 1466 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1467 SSL3_HM_HEADER_LENGTH)) 1468 goto err; 1469 } 1470 if (!CBB_add_u24_length_prefixed(handshake, body)) 1471 goto err; 1472 1473 ret = 1; 1474 1475 err: 1476 return (ret); 1477 } 1478 1479 int 1480 ssl3_handshake_msg_finish(SSL *s, CBB *handshake) 1481 { 1482 unsigned char *data = NULL; 1483 size_t outlen; 1484 int ret = 0; 1485 1486 if (!CBB_finish(handshake, &data, &outlen)) 1487 goto err; 1488 1489 if (outlen > INT_MAX) 1490 goto err; 1491 1492 if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) 1493 goto err; 1494 1495 memcpy(s->internal->init_buf->data, data, outlen); 1496 1497 s->internal->init_num = (int)outlen; 1498 s->internal->init_off = 0; 1499 1500 if (SSL_IS_DTLS(s)) { 1501 unsigned long len; 1502 uint8_t msg_type; 1503 CBS cbs; 1504 1505 CBS_init(&cbs, data, outlen); 1506 if (!CBS_get_u8(&cbs, &msg_type)) 1507 goto err; 1508 1509 len = outlen - ssl3_handshake_msg_hdr_len(s); 1510 1511 dtls1_set_message_header(s, msg_type, len, 0, len); 1512 dtls1_buffer_message(s, 0); 1513 } 1514 1515 ret = 1; 1516 1517 err: 1518 free(data); 1519 1520 return (ret); 1521 } 1522 1523 int 1524 ssl3_handshake_write(SSL *s) 1525 { 1526 return ssl3_record_write(s, SSL3_RT_HANDSHAKE); 1527 } 1528 1529 int 1530 ssl3_record_write(SSL *s, int type) 1531 { 1532 if (SSL_IS_DTLS(s)) 1533 return dtls1_do_write(s, type); 1534 1535 return ssl3_do_write(s, type); 1536 } 1537 1538 int 1539 ssl3_new(SSL *s) 1540 { 1541 if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) 1542 return (0); 1543 if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) { 1544 free(s->s3); 1545 return (0); 1546 } 1547 1548 s->method->internal->ssl_clear(s); 1549 1550 return (1); 1551 } 1552 1553 void 1554 ssl3_free(SSL *s) 1555 { 1556 if (s == NULL) 1557 return; 1558 1559 tls1_cleanup_key_block(s); 1560 ssl3_release_read_buffer(s); 1561 ssl3_release_write_buffer(s); 1562 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1563 1564 DH_free(S3I(s)->tmp.dh); 1565 EC_KEY_free(S3I(s)->tmp.ecdh); 1566 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1567 1568 tls13_key_share_free(S3I(s)->hs_tls13.key_share); 1569 tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); 1570 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); 1571 tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); 1572 1573 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1574 1575 tls1_transcript_free(s); 1576 tls1_transcript_hash_free(s); 1577 1578 free(S3I(s)->alpn_selected); 1579 1580 /* Clear reference to sequence numbers. */ 1581 tls12_record_layer_clear_read_state(s->internal->rl); 1582 tls12_record_layer_clear_write_state(s->internal->rl); 1583 1584 freezero(S3I(s), sizeof(*S3I(s))); 1585 freezero(s->s3, sizeof(*s->s3)); 1586 1587 s->s3 = NULL; 1588 } 1589 1590 void 1591 ssl3_clear(SSL *s) 1592 { 1593 struct ssl3_state_internal_st *internal; 1594 unsigned char *rp, *wp; 1595 size_t rlen, wlen; 1596 1597 tls1_cleanup_key_block(s); 1598 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1599 1600 DH_free(S3I(s)->tmp.dh); 1601 S3I(s)->tmp.dh = NULL; 1602 EC_KEY_free(S3I(s)->tmp.ecdh); 1603 S3I(s)->tmp.ecdh = NULL; 1604 S3I(s)->tmp.ecdh_nid = NID_undef; 1605 freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); 1606 S3I(s)->tmp.x25519 = NULL; 1607 1608 freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); 1609 S3I(s)->hs.sigalgs = NULL; 1610 S3I(s)->hs.sigalgs_len = 0; 1611 1612 tls13_key_share_free(S3I(s)->hs_tls13.key_share); 1613 S3I(s)->hs_tls13.key_share = NULL; 1614 1615 tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); 1616 S3I(s)->hs_tls13.secrets = NULL; 1617 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); 1618 S3I(s)->hs_tls13.cookie = NULL; 1619 S3I(s)->hs_tls13.cookie_len = 0; 1620 tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); 1621 1622 S3I(s)->hs.extensions_seen = 0; 1623 1624 rp = S3I(s)->rbuf.buf; 1625 wp = S3I(s)->wbuf.buf; 1626 rlen = S3I(s)->rbuf.len; 1627 wlen = S3I(s)->wbuf.len; 1628 1629 tls1_transcript_free(s); 1630 tls1_transcript_hash_free(s); 1631 1632 free(S3I(s)->alpn_selected); 1633 S3I(s)->alpn_selected = NULL; 1634 1635 memset(S3I(s), 0, sizeof(*S3I(s))); 1636 internal = S3I(s); 1637 memset(s->s3, 0, sizeof(*s->s3)); 1638 S3I(s) = internal; 1639 1640 S3I(s)->rbuf.buf = rp; 1641 S3I(s)->wbuf.buf = wp; 1642 S3I(s)->rbuf.len = rlen; 1643 S3I(s)->wbuf.len = wlen; 1644 1645 ssl_free_wbio_buffer(s); 1646 1647 /* Not needed... */ 1648 S3I(s)->renegotiate = 0; 1649 S3I(s)->total_renegotiations = 0; 1650 S3I(s)->num_renegotiations = 0; 1651 S3I(s)->in_read_app_data = 0; 1652 1653 s->internal->packet_length = 0; 1654 s->version = TLS1_VERSION; 1655 1656 tls12_record_layer_set_read_seq_num(s->internal->rl, 1657 S3I(s)->read_sequence); 1658 tls12_record_layer_set_write_seq_num(s->internal->rl, 1659 S3I(s)->write_sequence); 1660 1661 S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); 1662 } 1663 1664 long 1665 _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) 1666 { 1667 EVP_PKEY *pkey = NULL; 1668 SESS_CERT *sc; 1669 int ret = 0; 1670 1671 *key = NULL; 1672 1673 if (s->session == NULL || SSI(s)->sess_cert == NULL) 1674 return 0; 1675 1676 sc = SSI(s)->sess_cert; 1677 1678 if ((pkey = EVP_PKEY_new()) == NULL) 1679 return 0; 1680 1681 if (sc->peer_dh_tmp != NULL) { 1682 if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp)) 1683 goto err; 1684 } else if (sc->peer_ecdh_tmp) { 1685 if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp)) 1686 goto err; 1687 } else if (sc->peer_x25519_tmp != NULL) { 1688 if (!ssl_kex_dummy_ecdhe_x25519(pkey)) 1689 goto err; 1690 } else if (S3I(s)->hs_tls13.key_share != NULL) { 1691 if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share, 1692 pkey)) 1693 goto err; 1694 } else { 1695 goto err; 1696 } 1697 1698 *key = pkey; 1699 pkey = NULL; 1700 1701 ret = 1; 1702 1703 err: 1704 EVP_PKEY_free(pkey); 1705 1706 return (ret); 1707 } 1708 1709 static int 1710 _SSL_session_reused(SSL *s) 1711 { 1712 return s->internal->hit; 1713 } 1714 1715 static int 1716 _SSL_num_renegotiations(SSL *s) 1717 { 1718 return S3I(s)->num_renegotiations; 1719 } 1720 1721 static int 1722 _SSL_clear_num_renegotiations(SSL *s) 1723 { 1724 int renegs; 1725 1726 renegs = S3I(s)->num_renegotiations; 1727 S3I(s)->num_renegotiations = 0; 1728 1729 return renegs; 1730 } 1731 1732 static int 1733 _SSL_total_renegotiations(SSL *s) 1734 { 1735 return S3I(s)->total_renegotiations; 1736 } 1737 1738 static int 1739 _SSL_set_tmp_dh(SSL *s, DH *dh) 1740 { 1741 DH *dh_tmp; 1742 1743 if (dh == NULL) { 1744 SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); 1745 return 0; 1746 } 1747 1748 if ((dh_tmp = DHparams_dup(dh)) == NULL) { 1749 SSLerror(s, ERR_R_DH_LIB); 1750 return 0; 1751 } 1752 1753 DH_free(s->cert->dh_tmp); 1754 s->cert->dh_tmp = dh_tmp; 1755 1756 return 1; 1757 } 1758 1759 static int 1760 _SSL_set_dh_auto(SSL *s, int state) 1761 { 1762 s->cert->dh_tmp_auto = state; 1763 return 1; 1764 } 1765 1766 static int 1767 _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) 1768 { 1769 const EC_GROUP *group; 1770 int nid; 1771 1772 if (ecdh == NULL) 1773 return 0; 1774 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 1775 return 0; 1776 1777 nid = EC_GROUP_get_curve_name(group); 1778 return SSL_set1_groups(s, &nid, 1); 1779 } 1780 1781 static int 1782 _SSL_set_ecdh_auto(SSL *s, int state) 1783 { 1784 return 1; 1785 } 1786 1787 static int 1788 _SSL_set_tlsext_host_name(SSL *s, const char *name) 1789 { 1790 free(s->tlsext_hostname); 1791 s->tlsext_hostname = NULL; 1792 1793 if (name == NULL) 1794 return 1; 1795 1796 if (strlen(name) > TLSEXT_MAXLEN_host_name) { 1797 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1798 return 0; 1799 } 1800 1801 if ((s->tlsext_hostname = strdup(name)) == NULL) { 1802 SSLerror(s, ERR_R_INTERNAL_ERROR); 1803 return 0; 1804 } 1805 1806 return 1; 1807 } 1808 1809 static int 1810 _SSL_set_tlsext_debug_arg(SSL *s, void *arg) 1811 { 1812 s->internal->tlsext_debug_arg = arg; 1813 return 1; 1814 } 1815 1816 static int 1817 _SSL_set_tlsext_status_type(SSL *s, int type) 1818 { 1819 s->tlsext_status_type = type; 1820 return 1; 1821 } 1822 1823 static int 1824 _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) 1825 { 1826 *exts = s->internal->tlsext_ocsp_exts; 1827 return 1; 1828 } 1829 1830 static int 1831 _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) 1832 { 1833 /* XXX - leak... */ 1834 s->internal->tlsext_ocsp_exts = exts; 1835 return 1; 1836 } 1837 1838 static int 1839 _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) 1840 { 1841 *ids = s->internal->tlsext_ocsp_ids; 1842 return 1; 1843 } 1844 1845 static int 1846 _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) 1847 { 1848 /* XXX - leak... */ 1849 s->internal->tlsext_ocsp_ids = ids; 1850 return 1; 1851 } 1852 1853 static int 1854 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) 1855 { 1856 if (s->internal->tlsext_ocsp_resp != NULL && 1857 s->internal->tlsext_ocsp_resp_len < INT_MAX) { 1858 *resp = s->internal->tlsext_ocsp_resp; 1859 return (int)s->internal->tlsext_ocsp_resp_len; 1860 } 1861 1862 *resp = NULL; 1863 1864 return -1; 1865 } 1866 1867 static int 1868 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) 1869 { 1870 free(s->internal->tlsext_ocsp_resp); 1871 s->internal->tlsext_ocsp_resp = NULL; 1872 s->internal->tlsext_ocsp_resp_len = 0; 1873 1874 if (resp_len < 0) 1875 return 0; 1876 1877 s->internal->tlsext_ocsp_resp = resp; 1878 s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; 1879 1880 return 1; 1881 } 1882 1883 int 1884 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) 1885 { 1886 return ssl_cert_set0_chain(ssl->cert, chain); 1887 } 1888 1889 int 1890 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) 1891 { 1892 return ssl_cert_set1_chain(ssl->cert, chain); 1893 } 1894 1895 int 1896 SSL_add0_chain_cert(SSL *ssl, X509 *x509) 1897 { 1898 return ssl_cert_add0_chain_cert(ssl->cert, x509); 1899 } 1900 1901 int 1902 SSL_add1_chain_cert(SSL *ssl, X509 *x509) 1903 { 1904 return ssl_cert_add1_chain_cert(ssl->cert, x509); 1905 } 1906 1907 int 1908 SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) 1909 { 1910 *out_chain = NULL; 1911 1912 if (ssl->cert->key != NULL) 1913 *out_chain = ssl->cert->key->chain; 1914 1915 return 1; 1916 } 1917 1918 int 1919 SSL_clear_chain_certs(SSL *ssl) 1920 { 1921 return ssl_cert_set0_chain(ssl->cert, NULL); 1922 } 1923 1924 int 1925 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) 1926 { 1927 return tls1_set_groups(&s->internal->tlsext_supportedgroups, 1928 &s->internal->tlsext_supportedgroups_length, groups, groups_len); 1929 } 1930 1931 int 1932 SSL_set1_groups_list(SSL *s, const char *groups) 1933 { 1934 return tls1_set_group_list(&s->internal->tlsext_supportedgroups, 1935 &s->internal->tlsext_supportedgroups_length, groups); 1936 } 1937 1938 long 1939 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1940 { 1941 switch (cmd) { 1942 case SSL_CTRL_GET_SESSION_REUSED: 1943 return _SSL_session_reused(s); 1944 1945 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1946 return _SSL_num_renegotiations(s); 1947 1948 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1949 return _SSL_clear_num_renegotiations(s); 1950 1951 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1952 return _SSL_total_renegotiations(s); 1953 1954 case SSL_CTRL_SET_TMP_DH: 1955 return _SSL_set_tmp_dh(s, parg); 1956 1957 case SSL_CTRL_SET_TMP_DH_CB: 1958 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1959 return 0; 1960 1961 case SSL_CTRL_SET_DH_AUTO: 1962 return _SSL_set_dh_auto(s, larg); 1963 1964 case SSL_CTRL_SET_TMP_ECDH: 1965 return _SSL_set_tmp_ecdh(s, parg); 1966 1967 case SSL_CTRL_SET_TMP_ECDH_CB: 1968 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1969 return 0; 1970 1971 case SSL_CTRL_SET_ECDH_AUTO: 1972 return _SSL_set_ecdh_auto(s, larg); 1973 1974 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1975 if (larg != TLSEXT_NAMETYPE_host_name) { 1976 SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1977 return 0; 1978 } 1979 return _SSL_set_tlsext_host_name(s, parg); 1980 1981 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1982 return _SSL_set_tlsext_debug_arg(s, parg); 1983 1984 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1985 return _SSL_set_tlsext_status_type(s, larg); 1986 1987 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1988 return _SSL_get_tlsext_status_exts(s, parg); 1989 1990 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1991 return _SSL_set_tlsext_status_exts(s, parg); 1992 1993 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1994 return _SSL_get_tlsext_status_ids(s, parg); 1995 1996 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1997 return _SSL_set_tlsext_status_ids(s, parg); 1998 1999 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 2000 return _SSL_get_tlsext_status_ocsp_resp(s, parg); 2001 2002 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 2003 return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); 2004 2005 case SSL_CTRL_CHAIN: 2006 if (larg == 0) 2007 return SSL_set0_chain(s, (STACK_OF(X509) *)parg); 2008 else 2009 return SSL_set1_chain(s, (STACK_OF(X509) *)parg); 2010 2011 case SSL_CTRL_CHAIN_CERT: 2012 if (larg == 0) 2013 return SSL_add0_chain_cert(s, (X509 *)parg); 2014 else 2015 return SSL_add1_chain_cert(s, (X509 *)parg); 2016 2017 case SSL_CTRL_GET_CHAIN_CERTS: 2018 return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); 2019 2020 case SSL_CTRL_SET_GROUPS: 2021 return SSL_set1_groups(s, parg, larg); 2022 2023 case SSL_CTRL_SET_GROUPS_LIST: 2024 return SSL_set1_groups_list(s, parg); 2025 2026 /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ 2027 case SSL_CTRL_GET_SERVER_TMP_KEY: 2028 if (s->server != 0) 2029 return 0; 2030 return _SSL_get_peer_tmp_key(s, parg); 2031 2032 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2033 return SSL_get_min_proto_version(s); 2034 2035 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2036 return SSL_get_max_proto_version(s); 2037 2038 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2039 if (larg < 0 || larg > UINT16_MAX) 2040 return 0; 2041 return SSL_set_min_proto_version(s, larg); 2042 2043 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2044 if (larg < 0 || larg > UINT16_MAX) 2045 return 0; 2046 return SSL_set_max_proto_version(s, larg); 2047 2048 /* 2049 * Legacy controls that should eventually be removed. 2050 */ 2051 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 2052 return 0; 2053 2054 case SSL_CTRL_GET_FLAGS: 2055 return (int)(s->s3->flags); 2056 2057 case SSL_CTRL_NEED_TMP_RSA: 2058 return 0; 2059 2060 case SSL_CTRL_SET_TMP_RSA: 2061 case SSL_CTRL_SET_TMP_RSA_CB: 2062 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2063 return 0; 2064 } 2065 2066 return 0; 2067 } 2068 2069 long 2070 ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 2071 { 2072 switch (cmd) { 2073 case SSL_CTRL_SET_TMP_RSA_CB: 2074 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2075 return 0; 2076 2077 case SSL_CTRL_SET_TMP_DH_CB: 2078 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2079 return 1; 2080 2081 case SSL_CTRL_SET_TMP_ECDH_CB: 2082 return 1; 2083 2084 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2085 s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, 2086 unsigned char *, int, void *))fp; 2087 return 1; 2088 } 2089 2090 return 0; 2091 } 2092 2093 static int 2094 _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) 2095 { 2096 DH *dh_tmp; 2097 2098 if ((dh_tmp = DHparams_dup(dh)) == NULL) { 2099 SSLerrorx(ERR_R_DH_LIB); 2100 return 0; 2101 } 2102 2103 DH_free(ctx->internal->cert->dh_tmp); 2104 ctx->internal->cert->dh_tmp = dh_tmp; 2105 2106 return 1; 2107 } 2108 2109 static int 2110 _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) 2111 { 2112 ctx->internal->cert->dh_tmp_auto = state; 2113 return 1; 2114 } 2115 2116 static int 2117 _SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, EC_KEY *ecdh) 2118 { 2119 const EC_GROUP *group; 2120 int nid; 2121 2122 if (ecdh == NULL) 2123 return 0; 2124 if ((group = EC_KEY_get0_group(ecdh)) == NULL) 2125 return 0; 2126 2127 nid = EC_GROUP_get_curve_name(group); 2128 return SSL_CTX_set1_groups(ctx, &nid, 1); 2129 } 2130 2131 static int 2132 _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) 2133 { 2134 return 1; 2135 } 2136 2137 static int 2138 _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) 2139 { 2140 ctx->internal->tlsext_servername_arg = arg; 2141 return 1; 2142 } 2143 2144 static int 2145 _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2146 { 2147 if (keys == NULL) 2148 return 48; 2149 2150 if (keys_len != 48) { 2151 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2152 return 0; 2153 } 2154 2155 memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); 2156 memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16); 2157 memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16); 2158 2159 return 1; 2160 } 2161 2162 static int 2163 _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) 2164 { 2165 if (keys == NULL) 2166 return 48; 2167 2168 if (keys_len != 48) { 2169 SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); 2170 return 0; 2171 } 2172 2173 memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); 2174 memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); 2175 memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); 2176 2177 return 1; 2178 } 2179 2180 static int 2181 _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) 2182 { 2183 *arg = ctx->internal->tlsext_status_arg; 2184 return 1; 2185 } 2186 2187 static int 2188 _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) 2189 { 2190 ctx->internal->tlsext_status_arg = arg; 2191 return 1; 2192 } 2193 2194 int 2195 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2196 { 2197 return ssl_cert_set0_chain(ctx->internal->cert, chain); 2198 } 2199 2200 int 2201 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) 2202 { 2203 return ssl_cert_set1_chain(ctx->internal->cert, chain); 2204 } 2205 2206 int 2207 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) 2208 { 2209 return ssl_cert_add0_chain_cert(ctx->internal->cert, x509); 2210 } 2211 2212 int 2213 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) 2214 { 2215 return ssl_cert_add1_chain_cert(ctx->internal->cert, x509); 2216 } 2217 2218 int 2219 SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) 2220 { 2221 *out_chain = NULL; 2222 2223 if (ctx->internal->cert->key != NULL) 2224 *out_chain = ctx->internal->cert->key->chain; 2225 2226 return 1; 2227 } 2228 2229 int 2230 SSL_CTX_clear_chain_certs(SSL_CTX *ctx) 2231 { 2232 return ssl_cert_set0_chain(ctx->internal->cert, NULL); 2233 } 2234 2235 static int 2236 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) 2237 { 2238 if (ctx->extra_certs == NULL) { 2239 if ((ctx->extra_certs = sk_X509_new_null()) == NULL) 2240 return 0; 2241 } 2242 if (sk_X509_push(ctx->extra_certs, cert) == 0) 2243 return 0; 2244 2245 return 1; 2246 } 2247 2248 static int 2249 _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) 2250 { 2251 *certs = ctx->extra_certs; 2252 if (*certs == NULL) 2253 *certs = ctx->internal->cert->key->chain; 2254 2255 return 1; 2256 } 2257 2258 static int 2259 _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) 2260 { 2261 *certs = ctx->extra_certs; 2262 return 1; 2263 } 2264 2265 static int 2266 _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) 2267 { 2268 sk_X509_pop_free(ctx->extra_certs, X509_free); 2269 ctx->extra_certs = NULL; 2270 return 1; 2271 } 2272 2273 int 2274 SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) 2275 { 2276 return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, 2277 &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); 2278 } 2279 2280 int 2281 SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) 2282 { 2283 return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, 2284 &ctx->internal->tlsext_supportedgroups_length, groups); 2285 } 2286 2287 long 2288 ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2289 { 2290 switch (cmd) { 2291 case SSL_CTRL_SET_TMP_DH: 2292 return _SSL_CTX_set_tmp_dh(ctx, parg); 2293 2294 case SSL_CTRL_SET_TMP_DH_CB: 2295 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2296 return 0; 2297 2298 case SSL_CTRL_SET_DH_AUTO: 2299 return _SSL_CTX_set_dh_auto(ctx, larg); 2300 2301 case SSL_CTRL_SET_TMP_ECDH: 2302 return _SSL_CTX_set_tmp_ecdh(ctx, parg); 2303 2304 case SSL_CTRL_SET_TMP_ECDH_CB: 2305 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2306 return 0; 2307 2308 case SSL_CTRL_SET_ECDH_AUTO: 2309 return _SSL_CTX_set_ecdh_auto(ctx, larg); 2310 2311 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2312 return _SSL_CTX_set_tlsext_servername_arg(ctx, parg); 2313 2314 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2315 return _SSL_CTX_get_tlsext_ticket_keys(ctx, parg, larg); 2316 2317 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2318 return _SSL_CTX_set_tlsext_ticket_keys(ctx, parg, larg); 2319 2320 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: 2321 return _SSL_CTX_get_tlsext_status_arg(ctx, parg); 2322 2323 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2324 return _SSL_CTX_set_tlsext_status_arg(ctx, parg); 2325 2326 case SSL_CTRL_CHAIN: 2327 if (larg == 0) 2328 return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); 2329 else 2330 return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); 2331 2332 case SSL_CTRL_CHAIN_CERT: 2333 if (larg == 0) 2334 return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); 2335 else 2336 return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); 2337 2338 case SSL_CTRL_GET_CHAIN_CERTS: 2339 return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); 2340 2341 case SSL_CTRL_EXTRA_CHAIN_CERT: 2342 return _SSL_CTX_add_extra_chain_cert(ctx, parg); 2343 2344 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: 2345 if (larg == 0) 2346 return _SSL_CTX_get_extra_chain_certs(ctx, parg); 2347 else 2348 return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); 2349 2350 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: 2351 return _SSL_CTX_clear_extra_chain_certs(ctx); 2352 2353 case SSL_CTRL_SET_GROUPS: 2354 return SSL_CTX_set1_groups(ctx, parg, larg); 2355 2356 case SSL_CTRL_SET_GROUPS_LIST: 2357 return SSL_CTX_set1_groups_list(ctx, parg); 2358 2359 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2360 return SSL_CTX_get_min_proto_version(ctx); 2361 2362 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2363 return SSL_CTX_get_max_proto_version(ctx); 2364 2365 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2366 if (larg < 0 || larg > UINT16_MAX) 2367 return 0; 2368 return SSL_CTX_set_min_proto_version(ctx, larg); 2369 2370 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2371 if (larg < 0 || larg > UINT16_MAX) 2372 return 0; 2373 return SSL_CTX_set_max_proto_version(ctx, larg); 2374 2375 /* 2376 * Legacy controls that should eventually be removed. 2377 */ 2378 case SSL_CTRL_NEED_TMP_RSA: 2379 return 0; 2380 2381 case SSL_CTRL_SET_TMP_RSA: 2382 case SSL_CTRL_SET_TMP_RSA_CB: 2383 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2384 return 0; 2385 } 2386 2387 return 0; 2388 } 2389 2390 long 2391 ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2392 { 2393 switch (cmd) { 2394 case SSL_CTRL_SET_TMP_RSA_CB: 2395 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2396 return 0; 2397 2398 case SSL_CTRL_SET_TMP_DH_CB: 2399 ctx->internal->cert->dh_tmp_cb = 2400 (DH *(*)(SSL *, int, int))fp; 2401 return 1; 2402 2403 case SSL_CTRL_SET_TMP_ECDH_CB: 2404 return 1; 2405 2406 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2407 ctx->internal->tlsext_servername_callback = 2408 (int (*)(SSL *, int *, void *))fp; 2409 return 1; 2410 2411 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: 2412 *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; 2413 return 1; 2414 2415 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2416 ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; 2417 return 1; 2418 2419 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2420 ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, 2421 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 2422 return 1; 2423 } 2424 2425 return 0; 2426 } 2427 2428 /* 2429 * This function needs to check if the ciphers required are actually available. 2430 */ 2431 const SSL_CIPHER * 2432 ssl3_get_cipher_by_char(const unsigned char *p) 2433 { 2434 uint16_t cipher_value; 2435 CBS cbs; 2436 2437 /* We have to assume it is at least 2 bytes due to existing API. */ 2438 CBS_init(&cbs, p, 2); 2439 if (!CBS_get_u16(&cbs, &cipher_value)) 2440 return NULL; 2441 2442 return ssl3_get_cipher_by_value(cipher_value); 2443 } 2444 2445 int 2446 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 2447 { 2448 CBB cbb; 2449 2450 if (p == NULL) 2451 return (2); 2452 2453 if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) 2454 return (0); 2455 2456 memset(&cbb, 0, sizeof(cbb)); 2457 2458 /* We have to assume it is at least 2 bytes due to existing API. */ 2459 if (!CBB_init_fixed(&cbb, p, 2)) 2460 goto err; 2461 if (!CBB_add_u16(&cbb, ssl3_cipher_get_value(c))) 2462 goto err; 2463 if (!CBB_finish(&cbb, NULL, NULL)) 2464 goto err; 2465 2466 return (2); 2467 2468 err: 2469 CBB_cleanup(&cbb); 2470 return (0); 2471 } 2472 2473 SSL_CIPHER * 2474 ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2475 STACK_OF(SSL_CIPHER) *srvr) 2476 { 2477 unsigned long alg_k, alg_a, mask_k, mask_a; 2478 STACK_OF(SSL_CIPHER) *prio, *allow; 2479 SSL_CIPHER *c, *ret = NULL; 2480 int can_use_ecc; 2481 int i, ii, ok; 2482 CERT *cert; 2483 2484 /* Let's see which ciphers we can support */ 2485 cert = s->cert; 2486 2487 can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); 2488 2489 /* 2490 * Do not set the compare functions, because this may lead to a 2491 * reordering by "id". We want to keep the original ordering. 2492 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2493 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2494 */ 2495 2496 if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2497 prio = srvr; 2498 allow = clnt; 2499 } else { 2500 prio = clnt; 2501 allow = srvr; 2502 } 2503 2504 for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 2505 c = sk_SSL_CIPHER_value(prio, i); 2506 2507 /* Skip TLS v1.2 only ciphersuites if not supported. */ 2508 if ((c->algorithm_ssl & SSL_TLSV1_2) && 2509 !SSL_USE_TLS1_2_CIPHERS(s)) 2510 continue; 2511 2512 /* Skip TLS v1.3 only ciphersuites if not supported. */ 2513 if ((c->algorithm_ssl & SSL_TLSV1_3) && 2514 !SSL_USE_TLS1_3_CIPHERS(s)) 2515 continue; 2516 2517 /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ 2518 if (SSL_USE_TLS1_3_CIPHERS(s) && 2519 !(c->algorithm_ssl & SSL_TLSV1_3)) 2520 continue; 2521 2522 ssl_set_cert_masks(cert, c); 2523 mask_k = cert->mask_k; 2524 mask_a = cert->mask_a; 2525 2526 alg_k = c->algorithm_mkey; 2527 alg_a = c->algorithm_auth; 2528 2529 ok = (alg_k & mask_k) && (alg_a & mask_a); 2530 2531 /* 2532 * If we are considering an ECC cipher suite that uses our 2533 * certificate check it. 2534 */ 2535 if (alg_a & SSL_aECDSA) 2536 ok = ok && tls1_check_ec_server_key(s); 2537 /* 2538 * If we are considering an ECC cipher suite that uses 2539 * an ephemeral EC key check it. 2540 */ 2541 if (alg_k & SSL_kECDHE) 2542 ok = ok && can_use_ecc; 2543 2544 if (!ok) 2545 continue; 2546 ii = sk_SSL_CIPHER_find(allow, c); 2547 if (ii >= 0) { 2548 ret = sk_SSL_CIPHER_value(allow, ii); 2549 break; 2550 } 2551 } 2552 return (ret); 2553 } 2554 2555 int 2556 ssl3_get_req_cert_types(SSL *s, CBB *cbb) 2557 { 2558 unsigned long alg_k; 2559 2560 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; 2561 2562 #ifndef OPENSSL_NO_GOST 2563 if ((alg_k & SSL_kGOST) != 0) { 2564 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) 2565 return 0; 2566 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) 2567 return 0; 2568 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) 2569 return 0; 2570 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) 2571 return 0; 2572 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) 2573 return 0; 2574 } 2575 #endif 2576 2577 if ((alg_k & SSL_kDHE) != 0) { 2578 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2579 return 0; 2580 } 2581 2582 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2583 return 0; 2584 2585 /* 2586 * ECDSA certs can be used with RSA cipher suites as well 2587 * so we don't need to check for SSL_kECDH or SSL_kECDHE. 2588 */ 2589 if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) 2590 return 0; 2591 2592 return 1; 2593 } 2594 2595 int 2596 ssl3_shutdown(SSL *s) 2597 { 2598 int ret; 2599 2600 /* 2601 * Don't do anything much if we have not done the handshake or 2602 * we don't want to send messages :-) 2603 */ 2604 if ((s->internal->quiet_shutdown) || (S3I(s)->hs.state == SSL_ST_BEFORE)) { 2605 s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2606 return (1); 2607 } 2608 2609 if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { 2610 s->internal->shutdown|=SSL_SENT_SHUTDOWN; 2611 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); 2612 /* 2613 * Our shutdown alert has been sent now, and if it still needs 2614 * to be written, S3I(s)->alert_dispatch will be true 2615 */ 2616 if (S3I(s)->alert_dispatch) 2617 return(-1); /* return WANT_WRITE */ 2618 } else if (S3I(s)->alert_dispatch) { 2619 /* resend it if not sent */ 2620 ret = s->method->ssl_dispatch_alert(s); 2621 if (ret == -1) { 2622 /* 2623 * We only get to return -1 here the 2nd/Nth 2624 * invocation, we must have already signalled 2625 * return 0 upon a previous invoation, 2626 * return WANT_WRITE 2627 */ 2628 return (ret); 2629 } 2630 } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2631 /* If we are waiting for a close from our peer, we are closed */ 2632 s->method->internal->ssl_read_bytes(s, 0, NULL, 0, 0); 2633 if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { 2634 return(-1); /* return WANT_READ */ 2635 } 2636 } 2637 2638 if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2639 !S3I(s)->alert_dispatch) 2640 return (1); 2641 else 2642 return (0); 2643 } 2644 2645 int 2646 ssl3_write(SSL *s, const void *buf, int len) 2647 { 2648 errno = 0; 2649 2650 if (S3I(s)->renegotiate) 2651 ssl3_renegotiate_check(s); 2652 2653 return s->method->internal->ssl_write_bytes(s, 2654 SSL3_RT_APPLICATION_DATA, buf, len); 2655 } 2656 2657 static int 2658 ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2659 { 2660 int ret; 2661 2662 errno = 0; 2663 if (S3I(s)->renegotiate) 2664 ssl3_renegotiate_check(s); 2665 S3I(s)->in_read_app_data = 1; 2666 ret = s->method->internal->ssl_read_bytes(s, 2667 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2668 if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { 2669 /* 2670 * ssl3_read_bytes decided to call s->internal->handshake_func, which 2671 * called ssl3_read_bytes to read handshake data. 2672 * However, ssl3_read_bytes actually found application data 2673 * and thinks that application data makes sense here; so disable 2674 * handshake processing and try to read application data again. 2675 */ 2676 s->internal->in_handshake++; 2677 ret = s->method->internal->ssl_read_bytes(s, 2678 SSL3_RT_APPLICATION_DATA, buf, len, peek); 2679 s->internal->in_handshake--; 2680 } else 2681 S3I(s)->in_read_app_data = 0; 2682 2683 return (ret); 2684 } 2685 2686 int 2687 ssl3_read(SSL *s, void *buf, int len) 2688 { 2689 return ssl3_read_internal(s, buf, len, 0); 2690 } 2691 2692 int 2693 ssl3_peek(SSL *s, void *buf, int len) 2694 { 2695 return ssl3_read_internal(s, buf, len, 1); 2696 } 2697 2698 int 2699 ssl3_renegotiate(SSL *s) 2700 { 2701 if (s->internal->handshake_func == NULL) 2702 return (1); 2703 2704 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2705 return (0); 2706 2707 S3I(s)->renegotiate = 1; 2708 return (1); 2709 } 2710 2711 int 2712 ssl3_renegotiate_check(SSL *s) 2713 { 2714 int ret = 0; 2715 2716 if (S3I(s)->renegotiate) { 2717 if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) && 2718 !SSL_in_init(s)) { 2719 /* 2720 * If we are the server, and we have sent 2721 * a 'RENEGOTIATE' message, we need to go 2722 * to SSL_ST_ACCEPT. 2723 */ 2724 /* SSL_ST_ACCEPT */ 2725 S3I(s)->hs.state = SSL_ST_RENEGOTIATE; 2726 S3I(s)->renegotiate = 0; 2727 S3I(s)->num_renegotiations++; 2728 S3I(s)->total_renegotiations++; 2729 ret = 1; 2730 } 2731 } 2732 return (ret); 2733 } 2734 /* 2735 * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF 2736 * and handshake macs if required. 2737 */ 2738 long 2739 ssl_get_algorithm2(SSL *s) 2740 { 2741 long alg2 = S3I(s)->hs.new_cipher->algorithm2; 2742 2743 if (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && 2744 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) 2745 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; 2746 return alg2; 2747 } 2748